Dutch hacker holds jailbroken iPhones “hostage” for €5 (Updated)

One Dutch hacker managed to find and hack into jailbroken iPhones, though it …

Though jailbreaking an iPhone certainly opens up opportunities to add functionality that Apple doesn't approve of, it can also make an iPhone less secure. Several Dutch iPhone users found that out the hard way after a hacker attacked a number of vulnerable phones on T-mobile Netherlands and tried to extort �5 from them.

It appears one enterprising Dutch hacker used port scanning to identify jailbroken iPhones on T-mobile Netherlands with SSH running. Enabling SSH is a common procedure for jailbroken iPhones, allowing a user to log in via Terminal and run standard UNIX commands. Unfortunately, iPhones all have a default root password that many forget to change after jailbreaking, leaving their phone as vulnerable as a Lamborghini parked on a public street with the windows down, the doors unlocked, and the keys in the ignition.

The hacker relied on unchanged root passwords to hack into the phones. He then sent what appears to be an SMS alert to the hacked phones (in reality it's a replaced wallpaper) that read, "You iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files." Going to the website directs the user to send �5 to a PayPal account, after which the hacker will e-mail instructions to remove the hack—which most likely involve restoring the iPhone to factory settings.

The hacker doesn't appear to have malicious intent, other than to glean some extra cash. "If you don't pay, it's fine by me," reads the page mentioned in the message to the hacked iPhone owners. "But remember, the way I got access to your iPhone can be used by thousands of others—they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It's just my advice to secure your phone."

An Ars reader familiar with computer security let us know that security researchers have done similar port scanning in the past, and downloaded users' SMS databases as a "proof of concept." However, this is the first time that it seems the technique has been used in the wild. It's worth noting that the technique is fairly trivial and could be done by anyone with even a modicum of networking know-how.

The incident highlights the fact that jailbreaking removes the security mechanisms that Apple has in place for the iPhone OS—which are as much about securing the device against hackers as they are about preventing "unauthorized" applications. If you do jailbreak, then the onus of security is on you, so be sure to change the root password to something other than the default. You can also disable the SSH daemon when not in use to prevent this particular attack from happening to you.

UPDATE: It appears the young hacker has had a change of heart on the money issue, and posted instructions for undoing what he did to several Dutch iPhone users. According to a commenter below, he has also apologized for asking for money and returned whatever ill-gotten gains he received from his stunt. However, that doesn't mean someone else couldn't pull the same trick and just not tell you about it. So for goodness sake, if you jailbreak and do things like leave an SSH daemon running, change the default passwords.

Originally posted by flyingember:proof that jailbreaking can break your phone

Eh. Root is disabled on the actual full Mac OS X by default as well, and if you enable it then it opens up the 100% identical issue as what's here to be honest. I think this barely even deserves to be called hacking, it's just somebody enabling a feature off by default and then failing to add the basic security necessary as well. Their phones are still sync'd with iTunes, so they now just have to wipe them, re-sync and then re-jailbreak (this time adding a proper password duh), and that's much, much, much less effort then most people would have to go through if their computers got rooted.

Speaking of which:

quote:

...which most likely involve restoring the iPhone to factory settings.

It's not the most likely solution, it's the only solution. You got rooted. Game over, reinstall and restore data from backup time, if someone had root on your system it can no longer be trusted at all. There are so many sneaky ways to hide backdoors with that kind of power that it's really not worth the effort or risk of attempting anything but a fresh start, unless of course the system was a dedicated honey pot or something and you're trying to do analysis of what was done after the fact.

The incident highlights the fact that jailbreaking removes the security mechanisms that Apple has in place for the iPhone OS—which are as much about securing the device against hackers as they are about preventing "unauthorized" applications.

Yeah, being familiar with Apple, I have to disagree that security against hackers is anywhere near as important to them as maintaining control.

" leaving their phone as vulnerable as a Lamborghini parked on a public street with the windows down, the doors unlocked, and the keys in the ignition." and of course petrol in the tank... overemphasis really has to do it all to work.

As I got my iphone i jail broke it, then gave it to my sis coz i didnt like the damn thing.

When i got the phone i did weight the pro of having a totally secure phone on one hand and having a phone that I had wayyyy more options with, it wasn't even a tough decision, a few minutes later i had a jailbroken phone.

Originally posted by www.eZee.se:As I got my iphone i jail broke it, then gave it to my sis coz i didnt like the damn thing.

When i got the phone i did weight the pro of having a totally secure phone on one hand and having a phone that I had wayyyy more options with, it wasn't even a tough decision, a few minutes later i had a jailbroken phone.

No regrets.

This.

I have already decided to abandon the platform because of Apple's change in stance to open hostility toward the jailbreak community. I'm simply not interested in the iron-fist approach to product management - in fact, fuck you, you don't get to "manage" your brand once it's in my hand, period.

Originally posted by www.eZee.se:As I got my iphone i jail broke it, then gave it to my sis coz i didnt like the damn thing.

When i got the phone i did weight the pro of having a totally secure phone on one hand and having a phone that I had wayyyy more options with, it wasn't even a tough decision, a few minutes later i had a jailbroken phone.

No regrets.

This.

I have already decided to abandon the platform because of Apple's change in stance to open hostility toward the jailbreak community. I'm simply not interested in the iron-fist approach to product management - in fact, fuck you, you don't get to "manage" your brand once it's in my hand, period.

Glad you have decided to move to something that suits you rather than whinging abou.... oh wait.

Apple makes the product, use it as they like or don't bitch when they break things for people doing non warranty hacks.

In the mean time the teenager has:* been identified* taken down the Paypal link and returned the 5 euros he "earned"* published instructions on how to undo what he did* apologized to the world at large

That however doesn't mean that:1. He may have left another nasty he's not telling about2. Someone else hasn't done the same

For all we know people have been harvesting passwords and installing keyloggers for a year. Hands up those who use their iPhone for Internet banking. *raises hand*

Originally posted by IvanM:"his doesn't say anything other than if you give users enough control to hang themselves, they can, and some percentage of them will."Yup... and we non users know all that stuff

When I buy a device, it isn't some corporation's job to deliberately interfere with how I choose to enjoy it. Apple's remedy for jail breaking should be restricted to voiding the warranty. That's their sole legitimate interest here. Fine, I jail break, I lose the warranty. End of discussion.

I don't get why we're all so willing to give companies all these controls over products they sell us. If we want to play it their way, fine, but if we don't, they shouldn't be able to go in and stop us after the fact. Jail breaking does Apple's interest in a well-regulated device no real harm (the phone company used to make this same bogus argument to prevent phones from being sold instead of leased -- we eventually recognized the inherent anti-consumer argument and abolished it and -- guess what -- no real harm done to anything but a monopoly and its profits).

All jail breaking really does is over set Mr. Control Freak's attitude towards his customers. That ought to be his problem, not something enforceable in court or technically frustrated after the fact.

In any case, its stupid to pick a war with one's customers, even a minority of them.

Moral of the story? Change your freaking root password if you jailbreak!I mean damn. Every half-assed Linux user (not including Ubuntu) knows this is a fundamental step. The Iphone is just OS X lite. If you know enough about ssh to use it, you should know how to change the root password. And better yet, make it to where root cannot log onto ssh at all(if you can).

Banzai: All computer systems have one security hole:

The user.

And for some reason, noone seems to want to release a security patch for it. Proper security habits are way more important than the underlying OS.

Here's a tip:Once you jailbreak your iPhone - look at the title page of Cydia and look at the User Guides.The one that says: "OpenSSH Access How-To"At the bottom it says "Change Default Password"Corblimey Step 3 explains how to "Change the root Password", and 4 "Change the mobile Password"It's not exactly rocket science.

i jailbroke my old iphone using pwnage tool, but have never even used cydia, i just did it mainly to unlock the phone. i have never manually installed ssh or anything, would i still need to change the root password or does that only apply if you've installed and turned on ssh?

Yes, this is mostly the fault of the user, but Apple has to take some of the blame (and the open source community if we look at the whole landscape). One simple step, and this whole thing is avoided: Disable root login via SSH by default. This is one of the first things I do when setting up a *nix box, and quite honestly, should be configured that way out of the box.

Originally posted by John Is My Name:Yes, this is mostly the fault of the user, but Apple has to take some of the blame (and the open source community if we look at the whole landscape).

What, what? How does the "open source community" need to take the blame of this?

The project being used for the jailbreaking that's LEAVING root login by SSH enabled (at all, regardless of the password) by default certainly needs to take the blame, but leave "the open source community" as a whole the hell out of it.

Originally posted by The Shadow:The project being used for the jailbreaking that's LEAVING root login by SSH enabled (at all, regardless of the password) by default certainly needs to take the blame, but leave "the open source community" as a whole the hell out of it.

Jailbreaking with any of the tools out there does not enable SSH at ALL. The user has to go out herself and install the SSH daemon through a package manager. They are warned that they ought to change the root password if they do that.

Most users install the SSH daemon as part of lame tutorials that show them how to do some "cool mod" or another and really have no understanding of what they're actually doing. These mods do require root, and 99% of the time when users are SSH'ing into their iPhone, they do require root access.

Anyway, I blame the culture in the iPhone modding community and their casual approach to security; not the jailbreakers who just want third-party apps, but the teenagers who like to rice out their devices.

Originally posted by John Is My Name:Yes, this is mostly the fault of the user, but Apple has to take some of the blame (and the open source community if we look at the whole landscape).

What, what? How does the "open source community" need to take the blame of this?

The project being used for the jailbreaking that's LEAVING root login by SSH enabled (at all, regardless of the password) by default certainly needs to take the blame, but leave "the open source community" as a whole the hell out of it.

It starts at the level of the SSH project (part of the open source community). When they're not disabling it, it falls to the open source projects which use SSH, whether it be an OS or a configuration tool which enables SSH. At any one of those points the open source community can take the steps necessary to disable it. Instead, its left up to the end user to disable something that is a) a potential security hole and b) doesn't need to be enabled by default in the first place.

Originally posted by Cailin Coilleach:For all we know people have been harvesting passwords and installing keyloggers for a year.

++

We just know about this one because the kid was dumb enough to broadcast it. The smart ones are not telling anyone what they're doing or what data they're getting.

What I don't get is why only so few are seeing the actual implications of this. I see most people taking a "who cares?" attitude, because who cares if someone can brick your phone? Or who cares if someone has had remote access to your phone? Is everyone too naive to see the big picture here?

Originally posted by heartburnkid:That is the most horrible attitude towards anything I've ever seen in my life. If people only used things as "intended", the entire concept of innovation would no longer exist.

You're right, innovation wouldn't exist but most companies did not design their products to be hacked into. If a revision to the product calls for a change, the company's not thinking about the hacker; just revising the product. If the path is crossed, too bad hacker; tough it out and start again. Like that Lamborghini. I mount a tow-ball on it so I can pull a single-axle trailer. Then I get a recall notice in the mail -pertaining to the drive train- to bring the car in. They see the ball and give me 2 choices: I remove the ball or they remove the ball. Either case; warranty voided and I pay for recall. There's your innovation but it's my car! Who the hell they think they are! What gives them the right to change things!? I should be able and allowed to do what I want to MY car! If they designed it properly in the first place, I wouldn't have had to figure out a way to mount a tow-ball on the rear 'bumper'!

quote:

Originally posted by StarKruzr:I have already decided to abandon the platform because of Apple's change in stance to open hostility toward the jailbreak community. I'm simply not interested in the iron-fist approach to product management - in fact, fuck you, you don't get to "manage" your brand once it's in my hand, period.

Originally posted by JasonKiddy:Here's a tip:Once you jailbreak your iPhone - look at the title page of Cydia and look at the User Guides.The one that says: "OpenSSH Access How-To"At the bottom it says "Change Default Password"Corblimey Step 3 explains how to "Change the root Password", and 4 "Change the mobile Password"It's not exactly rocket science.

Originally posted by senshikaze:Moral of the story? Change your freaking root password if you jailbreak!I mean damn. Every half-assed Linux user (not including Ubuntu) knows this is a fundamental step. The Iphone is just OS X lite. If you know enough about ssh to use it, you should know how to change the root password. And better yet, make it to where root cannot log onto ssh at all(if you can).

Banzai: All computer systems have one security hole:

The user.

And for some reason, noone seems to want to release a security patch for it. Proper security habits are way more important than the underlying OS.

I don't know about you, but when I patch my systems they don't call me the next day after re-introducing the same problem and telling me they don't remember me saying that. Users don't want to be patched. I can't believe that guy at MS actually got in trouble for saying "there's no patch for human stupidity." Well actually I can because it's the single most honest thing I've ever heard MS say on the record.